Data protection refers to a set of rules surrounding the collection and storage of personal data (personal data is any data relating to an identified or identifiable person). The Data Protection Act (DPA) is a UK Act of Parliament designed to protect peoples' personal data by law, it's now in its third wave, known as the DPA 2018 (previously 1998). Every organisation in the UK that processes personal data must comply with the regulations set out in the DPA 2018.
There is a special category of personal data which is deemed to be more sensitive and known as 'sensitive personal data'. The following data falls into this category: race, ethnicity, political opinions, religion, trade union membership, genetics, biometrics, health and sexual life/orientation. Individuals and companies that use data within the special data category are subject to tighter data protection restrictions.
The eight principles of the DPA 1998 are outlined below, these are broadly carried over to the DPA 2018, which modernises the Act in line with GDPR guidelines:
- Use of data should be fair and lawful
- Data should be held and used for reasons given to the Information Commissioner's Office (ICO)
- Data should be used for registered purposes only
- Data must be adequate, relevant and not excessive
- Data must be accurate and kept up to date
- Data should not be kept for longer than is necessary
- Data must be kept safe and secure
- Data must not transferred out of European Economic Area (comprising the EU countries plus Iceland, Liechtenstein and Norway, all of which operate within the EU's single market) unless the country of transfer has suitable data protection laws
The GDPR also introduced the new principle of "Accountability" to data protection, making data controllers more responsible for compliance with the principles of the DPA. Under the DPA 2018, which follows GDPR directives, data controllers are responsible for compliance and must be able to demonstrate their compliance (in fact, unless they can demonstrate compliance, they are not, in fact, compliant!). This clause will mean that many organisations must step-up their efforts when it comes to documenting decisions, keeping records, and demonstrating employee training activity.
Key Data Protection Terminology:
The Data Controller is the organisation that owns personal data and decides what it will be used for. The way in which a data controller can use, store, and process information is governed by the data protection principles outlined above.
Data Processors organisations that process data on behalf of data controllers, e.g. DeltaNet International. If your organisation outsources functions (e.g. eLearning) to third parties that require data in order to provide a service, the data controller is responsible for ensuring compliance. A written contract must be signed between data controllers and data processors.
Data Subjects is any person whose personal or sensitive data is being collected, stored, or processed. Almost 100% of us are data subjects, so it is important to familiarise ourselves with our rights under the DPA 2018.
The Evolution of the Data Protection Act
The Data Protection Act 1998
As the use of computers within organisations increased, in 1998 it was deemed necessary to introduce legislation governing the use of personal data. The Data Protection Act 1998 was passed with the aim of protecting data and preventing it from getting into the wrong hands. The act comprises a set of rules enforcing the principles listed above which are enforced by the Information Commissioner. All who store personal information must register with the Information Commissioner's Office (ICO) and declare what information they will store, how they will store it and how it will be used. The Act gives data subjects the following rights over the information that is stored about them:
- Access to the data stored about them
- Correction of data
- Prevention of use of data they believe will cause distress if used
- Prevention of direct marketing
- To prevent automatic decisions being made about them
- Complaint to the Information Commissioner
- Compensation – if data is inaccurate, lost or disclosed
The Data Protection Act 2018
More recently, the Data Protection Act 2018 has been introduced alongside the General Data Protection Regulation (GDPR) which applies to all countries in the EU. The DPA 2018 follows GDPR directives, but with some UK-specific additions regarding domestic issues like immigration and national security. As with GDPR, the Act modernises data protection, seeking to apply its principles to the evolving world of technology we live and work in. The Act also emphasises the importance of transparency (e.g. the mandatory publication of privacy notices in GP surgeries), as well as bringing in modern issues surrounding social media and big data sets.
The Data Protection Act 2018 outlines an explicit set of rules to be followed when gaining consent for processing personal data. Consent must be:
- Freely given
- Capable of being easily withdrawn at any time
- Indicated by a clear affirmative action
Data protection can seem overwhelming with several sets of legislation which require adhering to simultaneously. Education and training for you and your employees will help to establish a solid understanding of data restrictions and ensure compliance with the law.